Cris Ewell, Seattle Children's: 'I fell in love with security'

CISO says the utopia we're all after is finding out who's attacking and designing protections in real-time
By Mike Miliard
08:00 AM
Share
Cris Ewell

Cris Ewell bought his first computer in 1979 and hasn't looked back. "It just fascinated me with how these things work," he said.

By the mid-'90s, "back in the (Windows) NT 3.51 days," before "security was even a thing yet," Ewell had begun spelunking the inner workings of systems, exploring their vulnerabilities and seeking ways to keep the bad guys out.

"I fell in love with security and have been doing it ever since," he said.

But back then he could have scarcely imagined the sophisticated cyber menace faced by hospitals and health systems today.

No way, said Ewell. In those days, the threats were "wardriving and people using your modems. Email wasn't a thing yet. The worst thing was someone dialing up your modem and maybe getting into your system."

The idea of gaining instant access to troves of sensitive data, the ability to cause enterprise-wide havoc with a mouse-click or two, that wasn't on his radar screen.

"Having to deal with nation-states, organized crime, hacktivists that have 24-hour access to your systems, or at least to the outside edges of your systems. I never could have imagined that threat."

Over his career, Ewell has worked in a variety of industries, including insurance (PEMCO) and academia (University of Washington). How does healthcare compare?

"I think healthcare is behind," he said. "Its systems were developed with paper in mind."

In the span of just few years, though, the industry has digitized with lightning speed (compared to other industries, at least) and the "complexity of all the medical devices and medical systems" has made for huge headaches as patient data proliferates.

[Learn more: Meet the speakers at HIMSS and Healthcare IT News Privacy & Security Forum.]

At 250-bed Seattle Children's, "we now have several hundred different medical applications," said Ewell. "Probably 20–30 that actually connect directly to the EMR. How do we share the data, protect the data, collaborate, but do it very securely? It's very challenging."

So is the much more abstract goal of "understanding the threats that are out there," he said -- threats that seem continually to morph and grow bolder, even as they remain in the shadows.

"How do you understand who is attacking you so you can better design protective mechanisms?" said Ewell. "That's the utopia we're all after. How do you find that needle in a haystack? And then getting an alert on it in real-time or near real-time."

Toward that end, Seattle Children's has a "very active intelligence program," he said. "We don't rely just on our own monitoring. I work with a lot of third parties. I work with our government agencies, with our own healthcare agencies, other financial agencies to understand where the real threats are. You can't rely on your own systems. You have to collaborate with other partners."

That risk-based approach is key, said Ewell. "My entire policy, strategy, protocol, everything is designed around the protection of the data. We're not compliance-driven. We're risk-driven."

As the CISO role grows in power and importance nationwide, that's the right strategy, he said.

"You can't just focus on your typical, traditional information security practices; they're too technology-focused and this risk is far greater than just technology can fix." 

CISOs: Healthcare's new rock stars

CISO and CIOs: Why can't we be friends?
Should CISOs have as much power as CIOs?

Infographics:

Biggest barriers to better security

Greatest areas of improvement in cybersecurity?

Top 10 cybersecurity threats of the future